CA issued SSL Certificate Usefulness

I have been trying to setup SSL between Client and Server. As I was looking into this, I wasn't able to understand the usefulness of CA issued SSL Certificate, other than it having the Public Key of the Server.

Since the Certificate Exchange with the CLient is unencrypted, if someone can get between the Client and Server, they can masquerade as the Server, and then respond with the Server Certificate to a ClientHello message ( Irrespective of whether the Cert is signed by CA or not.) .

Since the Cert has the Public Key of the Server, during the exchange of the Master Key Secret, the Client can use this to encrypt the Secret, and the "man in the middle" will be unable to decrypt, as he doesn't have the "private key" of the Server. I see this as the greatest benefit.. Is my understanding Correct?

If we enable Client verification, where the CLient needs to send its Certificate, again, I don't see much of a benefit here. Does the Server use the Client's Public Key outside of Client-Certificate Verification?


the "man in the middle" will be unable to decrypt, as he doesn't have the "private key" of the Server

Yes, unless the MITM has access to the private key, he will not be able to proceed. In fact, if you look at the diagram of the TLS handshake, the ClientKeyExchange step is where the client encrypts the pre-master secret with the server public key and only someone with access to the private key can decrypt that message. In the absence of the private key, the TLS handshake will fail.

If certificate verification is required for the client, the server sends a CertificateRequest message asking the client to present a certificate. Note that this is optional. In such a scenario, the client presents its own certificate and executes the CertificateVerify step which involves the client computing a digital signature over all preceding handshake messages using its private key and the server then uses the public key present in the client certificate to verify that the client has access to both the public and private parts of the asymmetric key.

链接地址: http://www.djcxy.com/p/21758.html

上一篇: SSL和公钥安全

下一篇: CA颁发了SSL证书有用性